Is your software GDPR ready? #1 – Subject access requests

Is your software GDPR ready? Q#1) How easy is it to retrieve all the information you have about one person?

 Under GDPR, any individual can write to you and ask for a copy of all the personal information that you have about them, as well as the reason why you have that information about them and who else has access to that information. This type of request is known as a ‘subject access request’, and is covered under GDPR’s ‘right of access’ for data subjects.

Individuals might make these subject access requests to your company to check the accuracy of the personal data you have about them, or to verify the lawfulness of the reasons why you have that information to begin with.

This actually isn’t too different to an individual’s rights under the outgoing Data Protection Act (DPA) – so, really, individuals have had the right to do this for a number of years already.

The key difference here is that under the DPA, companies could issue a nominal charge for complying with this service; under GDPR, you have to comply with subject access requests for free unless you can demonstrate that it is a ‘manifestly unfounded’ ‘excessive’ request, as per advice from the Information Commission’s Office.

On top of that, businesses are obligated to deliver on this service promptly: you must be able to supply all the information you have about that the individual to them within 30 days of their request, and in an easily accessible format (for example, in an email or by post).

Unfortunately, the fact is that handling subject access requests under GDPR is an inconvenience that your business must be prepared to shoulder.

Making subject access requests as painless as possible

However, regardless of whether you expect you might be handling these requests regularly or once in a blue moon, there are still ways you can prepare now so that you’ll be able to deliver on your obligations easily and quickly, without draining your business’s time and resource – and therefore keep the costs of doing so to a minimum – while also protecting yourself against any potential liabilities or fines for not doing so.

Getting a written procedure together to build a step-by-step process for handling subject access requests is by far the best way to prepare for any you may face – but to do that, you’ll first need to check where and how – and, importantly, why – you store personal information, and part of that will include the software that you use for these purposes.

The need for promptness in answering subject access requests and returning information in ‘easily accessible’ format is where it becomes important to look at the features that are provided within the software packages you use to handle personal information.

Relevant software packages to look at will include not just your customer relationship management (CRM) system, but likely also your finance and accounting system, libraries on your computer or network, email archives and email marketing apps, as well as any ancillary apps you use to run your business (for example, at MCPC we use a ticketing system for managing support requests from our customers).

First of all, you’ll want to test how easy it is (or isn’t) to find all the information you have on an individual in your systems, and then you’ll need to look into the options you have for exporting that information quickly and concisely.

How do you deliver information for subject access requests?

Probably the best format to choose wherever possible will be PDF: if you’re answering the subject access request by email, PDFs can easily be read by anyone using readily available tools (unlike other file formats), and it’s also print-ready format if you plan to answer the request by post.

If the export only options for saving personal information from your chosen software are uncommon file types, or present the information in a way that’s hard to read and understand, you’ll need to look at ways in which you can improve this before responding to the request. Otherwise, it could be argued that you haven’t met your obligations.

In this case, if you suspect this may be a risk going forward, it would be worth speaking to your software provider to see what they can do to make it easier for you. As much as handling a subject access request might seem a headache to begin with, it would be a terrible use of your or your team’s time to be shoehorned into manually extracting, formatting or copying information held in your systems to comply with your obligations under GDPR.

Other things to think about in subject access requests

Beside the information you keep in your software, you’ll also have to supply copies of any personal information you have in paper records as part of subject access requests.

As part of preparing your procedure for handling subject access requests, it’s worth looking at how efficiently you can find, and make copies of, any information held in your paper-based systems. This is bearing in mind that you may need to update that information if the individual comes back to you with requests to do so, and that you will also need to tell the individual if you don’t have any information on them.